Re: AGOVA-52 Support to programmatically control callback URL pr auth request

[Antoine Sabot-Durand]

Hi John

I answer your mail on the ML as it can be useful to have others on the conversation

You’re right, the default behavior should copy all the querystring in the final url (the famous Internal Callback). When I started to implement this feature my first idea was to use first callback url (the one that is sent by remote service to makes the user come back on your application) to store the internal comeback as an encoded query string parameter, for the sake of the REST stateless approach. Thinking of this mechanism bring me to entice use cases where the developer would like to add other information to this returning query string, the reason why I start reproducing it from callback to internal callback.

Then I realized that the whole process couldn’t be stateless by design because we need to keep the OAuthSession on the server (remember OauthSession contains plubic info and very sensitive one we want to keeps much a possible on the server) and have a mean to associate the OAuthSession to the returning user in the callback, so I had this idea to use the OauthSession to store an arbitrary data map associated with this Oauth connexion. But I forgot to remove the query string copy in the callback…

So the right behavior would be to avoid this parameter duplication except for the « repoid » param (if it is present) which is the user tracker for « request » resolver strategy. Should someone another behavior, she only have to create her own callback servlet…

There are other use cases not covered in the callback process : « What happen if the resolver is based on cookie strategy and if my user launch multiple windows on my app with multiple Oauth dance in parallel ». Session id should be sent as well to make sure we address the right OauthSession in the callback and the  session of the neighbor window... 

If you feel it, you can create a Jira ticket for this point and submit a pull request. 0.7.1 is waiting for your fix ;)

regards

Antoine

Le 21 nov. 2013 à 04:50, John Schneider <john.a.s...@gmail.com> a écrit :

Hi Antoine,

I really like the concept of the internal callback URL.  I'm now using it to redirect to the referer URL stored in the request header map.  One thing I noticed is the query string of the callback servlet request is left intact in the URL, and so the user sees the OAuth token in the URL shown in the browser location.  I can see how some people might need to retain the querystring, but I'd really like to remove it for my current use case.

What do you think of adding a boolean parameter to OAuthLifeCycleService.startDanceFor that will indicate whether to use the querystring in the redirection to the internal callback?  So, in OAuthCallbackServlet.renderResponse, we would have something like:

if (lifeCycleService.isRetainQueryString()) internalCallBack += "?" + req.getQueryString();

Please let me know your thoughts on this.

Thanks,

John